[Openid-specs-ab] [openid/connect] Messages - Does OIDC invalid_redirect_uri error override default OAuth 2.0 behaviour? (issue #684)
Vladimir Dzhuvinov
issues-reply at bitbucket.org
Fri Nov 23 11:12:54 UTC 2012
--- you can reply above this line ---
New issue 684: Messages - Does OIDC invalid_redirect_uri error override default OAuth 2.0 behaviour?
https://bitbucket.org/openid/connect/issue/684/messages-does-oidc-invalid_redirect_uri
Vladimir Dzhuvinov:
Hi guys,
OAuth 2.0 states that if the authorisation request has a "missing, invalid, or mismatching redirection URI" an error message should be presented to the end-user and redirection should not occur.
http://tools.ietf.org/html/rfc6749#section-4.1.2.1
I suppose "mismatching" is to mean an URI that has not been registered with the OP?
OIDC seems to override the OAuth 2.0 behaviour on "mismatching" redirect URI and requires instead an error code to be returned to the client:
http://openid.bitbucket.org/openid-connect-messages-1_0.html#anchor6
*invalid_redirect_uri The redirect_uri in the Authorization Request does not match any of the Client's pre-registered redirect_uris.*
Am I interpreting the spec correctly?
If yes, the current "invalid" qualifier in "invalid_redirect_uri" sounds a bit ambiguous as it may also mean that the URI doesn't parse correctly. Perhaps "redirect_uri_not_registered" would be a better match for this error condition.
--
This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.
More information about the Openid-specs-ab
mailing list